CISA warns critical infrastructure owners, operators of GPS Daemon bug
The Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday critical infrastructure (CI) owners and operators, and other users, who obtain Coordinated Universal Time (UTC) from Global Positioning System (GPS) devices, to be aware of a GPS Daemon (GPSD) bug in GPSD versions 3.20 released Dec. 31, 2019, through 3.22 released Jan. 8, 2021.
“On October 24, 2021, Network Time Protocol (NTP) servers using bugged GPSD versions 3.20-3.22 may rollback the date 1,024 weeks—to March 2002—which may cause systems and services to become unavailable or unresponsive,” CISA said in its advisory. The security agency has urged affected CI owners and operators to ensure systems that use GPS Daemon to obtain timing information from GPS devices are using GPSD version 3.23 released Aug. 8, 2021, or newer.
The CISA advisory did not provide any measures that critical infrastructure owners and operators, and other users could put into place, in order to reduce exposure to the GPS Daemon bug. It also failed to outline how the sector would be affected.
A reader recently highlighted a bug in the GPSD project that could cause time to rollback in October 2021, according to a post on the Internet Storm Center (ISC). As a result of the design of the GPS protocol, time rollback (or technically termed ‘GPS Week Rollover’) can be anticipated and usually closely monitored by manufacturers.
The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet.
“The next occurrence should have been in November 2038, but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021,” it added.
The maintainer of GPS Daemon, Gary E. Miller, indicated that users should upgrade to version 3.23.1 released on Sept. 21, 2021, ISC said. For organizations that are using GPS appliances or rely on GPS Daemon, it is recommended to check if GPS Daemon is being utilized anywhere in the infrastructure and check its corresponding version. It is likely that an upgrade to GPS Daemon will be required if no recent upgrades were performed. It is also recommended that blue teams keep a mental note of the date October 24, 2021, the post added.
If systems that had been authenticating normally start to have authentication issues after Oct. 24, 2021, it could be due to a mismatched date and time (likely March 2002) caused by time synchronization with an errant NTP server running a bugged version of GPS Daemon, ISC said.
The Network Time Protocol (NTP) has been critical in ensuring time is accurately kept for various systems businesses and organizations rely on. Authentication mechanisms such as time-based one-time password (TOTP) and Kerberos also rely heavily on time. As such, should there be a severe mismatch in time, users would not be able to authenticate and gain access to systems.
From the perspective of incident handling and incident response, well-synchronized time across systems facilitates log analysis, forensic activities, and correlation of events. Depending on operational requirements, organizations may choose to utilize public NTP servers for their time synchronization needs. For organizations that require higher time accuracy, they could opt for GPS appliances and use daemons such as GPSD to extract time information from these GPS appliances.
Related
